Beyond compliance: Keys to effective user access risk management

Commentary--The stakes involved in access-related risk have risen dramatically in recent years as organizations have become thoroughly operational by technology. Risks related to unauthorized or inappropriate access can appear anywhere within an organization at any time and spread rapidly through the business. The potential cost in terms of lost revenue and increased expense or in damage to customer relationships as well as the loss of corporate brand and reputation is virtually unlimited.

At the same time, an organization’s IT infrastructure today must be responsive to user demands and somewhat porous in order for business to be transacted. Enforcing security can’t be at the expense of the business being able to move forward and take advantage of marketplace opportunity.

Primary responsibility for managing it usually still resides with the IT security organization. As a result, many IT security managers are caught between the competing pressures to provide ready access to legitimate users while not allowing access-related vulnerabilities to turn into operating performance problems, compliance violations, or shareholder valuation issues.

When does access-related risk become unacceptable?
The foundation of any access risk management initiative should be adherence to the principle of least privileged access: legitimate users should have no more access than the minimum required for their jobs.

The concept of access encompasses variables such as business roles and levels of entitlement within particular IT resources. Only by understanding this full context can a user be matched with entitlements in such a way as to ensure that access is limited to the minimum required.

Unacceptable access risks begin to appear when this principle is violated, and they often result from one of four causes.

Entitlement inertia is the failure to remove previously issued entitlements once they are no longer necessary or appropriate. It is not unusual, for example, for employees to accumulate unnecessary access privileges as they are promoted or transferred within an organization.

Compliance myopia results from the mistaken assumption that compliance with access-related regulatory guidelines ensures adequate access risk management. Just because an access meets regulatory guidelines does not mean that it is consistent with the rule of least privileged access and other access governance best practices.

Rubber-stamping occurs when business managers are asked to review and approve access entitlements that are communicated to them in a security syntax language that they cannot understand. In fact, asking business unit managers to certify employee access using an RACF mainframe security administrators report can result in audit failure.

Accountability loopholes are open as long as full responsibility for access governance is limited to IT. IT security teams are providing access on the request of the business, but they do not have the domain expertise to understand what level of access is needed for a particular business role. Business units and IT teams are certainly not experts in compliance regulations but audit and compliance departments are. It is essential, therefore, that audit, risk and compliance teams collaborate on managing access policies management, and that accountability for compliance with regulations and policy be extended to the appropriate business managers.

How a risk probability turns into an event
Once access-related vulnerabilities appear within an enterprise information system, problems can materialize in several ways.

Inadvertent error can lead to data loss, operating failure, or other negative consequences. These events are the result of unintentional mistakes, but they can be just as costly as deliberate system attacks.

Insider malfeasance is a surprisingly common occurrence. According to a recent McAfee survey of corporate IT managers, 60% of respondents said that system breaches were chiefly the work of individuals operating within the firewall.

Outsider security lapses are a constant threat to every large organization’s IT infrastructure. Although security breaches by outsiders are often accomplished through attacks on system firewalls, they sometimes go undetected as the result of an enterprise’s failure to follow basic access governance best practices.

Outsourcing can be another source of malfeasance or unintentional error. When a third party becomes involved in managing an enterprise’s information assets, there is an inherent increase in risk. This should be recognized and managed by ensuring that the third party conforms to all enterprise security policies.

The consequences
The costs that an enterprise can incur as a result of poor risk management stem from a variety of sources, but they generally fall into three broad risk categories.

Legal and regulatory risk can entail financial liabilities in the form of fines, restitution, and remediation costs.

Operational risk, due either to deliberate malfeasance or human error, can also lead to enormous costs resulting from lack of system availability or loss of revenue.

Brand and reputation risk associated with a loss of customer or investor confidence can, if realized, be costly as well.

What to do about access-related risk
Most large enterprises already have a set of policies designed to ensure that proper oversight of system access is maintained. But in many cases, these policies have not been fully operational. As long as they reside in three-ring binders without being instantiated in the daily behaviors of key managers in IT, audit/compliance, and the business units, the policies are not likely to be enforced consistently. Automation is the key to driving comprehensive access risk management into the DNA of the enterprise so that risk is properly monitored, managed, and mitigated.

Monitoring risk requires providing business managers with a full view of access entitlements in an easily understood format and a simple, automated way for those managers to certify (or decertify) existing roles and their corresponding entitlements or to authorize new ones.

Managing risk requires that accountability for linking entitlements to roles and roles to people must be shared by business managers. But business managers must be able to understand what the entitlement is, whether it is appropriate for a user’s role in the organization and who has it or will have it as a result of the certification. In addition, the manager must know or otherwise be guided by the relevant regulatory requirements and internal policies that need to be enforced in order to ensure good access governance.

Mitigating risk requires an automated system for remediation. Automation is the only way to ensure that the right people are quickly informed of policy violations, and that these are quickly dealt with.

With such a system in place, a large enterprise will be well on its way to managing the business and regulatory risks of inappropriate access to its applications and information. The right solution requires a strategic approach to access governance based on auditable business processes that enable line-of-business managers and information security, audit, and compliance teams to collaborate while ensuring accountability, transparency, and visibility.

biography
Deepak Taneja is the CEO of Aveksa, Inc., the market-leading provider of enterprise access governance solutions. Aveksa provides enterprises with a comprehensive, enterprise-class, access governance, risk management and compliance solution. Aveksa's technology automates the monitoring, reporting, certification and remediation of user entitlements and roles; enables role discovery and lifecycle management; and delivers unmatched visibility into the true state of user access rights.